Thoughts on Information Security, Technology, and Science

Web/Tech

August 13, 2013

The phenomenon of the Internet of Things (IoT) is positively influencing our lives by augmenting our spaces with intelligent and connected devices. Examples of these devices include lightbulbs, motion sensors, door locks, video cameras, thermostats, and power outlets. By 2022, the average household with two teenage children will own roughly 50 such Internet connected devices, according to estimates by the Organization for Economic Co-Operation and Development. Our society is starting to increasingly depend upon IoT devices to promote automation and increase our well being. As such, it is important that we begin a dialogue on how we can securely enable the upcoming technology.

I am excited to release my security research on the Philips hue lighting system. The hue personal wireless system is available for purchase from the Apple Store and other outlets. Out of the box, the system comprises of wireless LED light bulbs and a wireless bridge. The light bulbs can be configured to any of 16 million colors.

I'd like to highlight a particular vulnerability that can be used by malware on an infected machine on the user's internal network to cause a sustained blackout. A video demonstration of this vulnerability can be seen in the video above. For details, please read the PDF. The sample malware script (hue_blackout.bash) can be found in Appendix A.

Here were the goals of the research:

- Lighting is critical to physical security. Smart lightbulb systems are likely to be deployed in current and new residential and corporate constructions. An abuse case such as the ability of an intruder to remotely shut off lighting in locations such as hospitals and other public venues can result in serious consequences.

- The system is easily available in the marketplace and is one of the more popular self installable wireless light bulb solutions.

- The architecture employs a mix of network protocols and application interfaces that is interesting to evaluate from a design perspective. It is likely that competing products will deploy similar interfaces thereby inheriting abuse cases.

The hue system is a wonderfully innovative product. It is therefore important is to understand how it works and to ultimately push forward the secure enablement of similar IoT products.

April 06, 2010

Facebook users have been repeatedly warned and educated to comprehend the reality that 3rd party Facebook applications can consume their private information. As such, many users have begun to expect a fair warning (illustrated in the figure below) that includes an explicit authorization request from the Facebook platform,when a 3rd party Facebook application is accessed.

“Automatic authentication means that if a user visits an application canvas page (whether it's an FBML- or iframe-based canvas page), Facebook will pass that visitor's user ID to the application, even if the user has not authorized the application. The UID also gets passed when a user interacts with another user's application tab.

With this ID, the application can access the following data for most users (except for users who have chosen to not display a public search listing):

name

friends

Pages fanned

profile picture

gender

current location

networks (regional affiliations only)

list of friends”

The ‘Automatic Authentication’ feature is not new - it has been in place since July 2008. The reason I’m bringing this into attention today is for the following reasons:

Even the more privacy savy individuals are not aware of this ‘feature’. Individuals who have made the effort to learn about Facebook’s privacy settings are unlikely to be aware of this capability. Many of these users are likely to go trigger-happy by clicking on URLs within Facebook because they rely on the Facebook platform to ask for explicit authorization upon clicking on a 3rd party application page.

The implications of publicly available data and the potential ability of
a rogue 3rd party to uncloak a specific user’s identity are mutually
exclusive issues.

In their explanation on the developer wiki, Facebook explicitly states that 3rd party applications that use this feature can only gather information about the given user that may be publicly search-able anyway.

However, this assurance from Facebook is without merit because the implied reasoning is based upon flawed assumptions: the act of users choosing to make some of their information publicly search-able does not imply in any way that the users are granting the ability for rogue 3rd party applications to uncloak their identity (and data). Here is a simple example: my name is Nitesh Dhanjani and the information on my blog is public - however my web browser vendor cannot use this as a reasonable excuse to uncloak my identity to 3rd party web applications I visit.

The widening delta between the granularity of controls provided by social media platforms and the controls demanded by privacy advocates may lead to the need for client-side controls.

Image: The fb_fromhash parameter

For example, users that land upon Facebook applications will notice a parameter called _fb_fromhash which is present regardless of what authorization mechanism the 3rd party Facebook application chooses to use. This can be potentially leveraged to create a browser side control (example: Firefox plug-in) to warn the user that he or she may be accessing a 3rd party application that has the ability to automatically capture his or her identity. In other words, I foresee the need for a client side model to bridge the gap between privacy controls provided by vendors of social platforms versus the needs of individual users. Social-privacy-client-IDS, if you want to call it that.

Indeed, there is the clear rule of thumb pertaining to the use of online social applications: don’t put anything online that you wouldn’t want to persist in the public domain. However, this does not mean that brands in the business of providing us social platforms can go scott free. I sincerely hope the data contained in this post has provided you some additional information on how ‘automatic authentication' works, including the implications of which, in case you were not aware of it prior.

DescriptionWith the advent of rich Internet applications, the explosion of social
media, and the increased use of powerful cloud computing
infrastructures, a new generation of attackers has added cunning new
techniques to its arsenal. For anyone involved in defending an
application or a network of systems, Hacking: The Next Generation is one of the few books to identify a variety of emerging attack vectors.

You'll not only find valuable information on new hacks that attempt to
exploit technical flaws, you'll also learn how attackers take advantage
of individuals via social networking sites, and abuse vulnerabilities
in wireless technologies and cloud infrastructures. Written by seasoned
Internet security professionals, this book helps you understand the
motives and psychology of hackers behind these attacks, enabling you to
better prepare and defend against them.

Understand the new wave of "blended threats" that take advantage of multiple application vulnerabilities to steal corporate data

Recognize weaknesses in today's powerful cloud infrastructures and how they can be exploited

Prevent attacks against the mobile workforce and their devices containing valuable data

Be aware of attacks via social networking sites to obtain confidential information from executives and their assistants

Get case studies that show how several layers of vulnerabilities can be used to compromise multinational corporations.

[Chapter 1] Intelligence Gathering: Peering Through the Windows to Your OrganizationTo successfully execute an attack against any given
organization, the attacker must first perform reconnaissance to
gather as much intelligence about the organization as possible. In
this chapter, we look at traditional attack methods as well as how
the new generation of attackers is able to leverage new technologies
for information gathering.

[Chapter 2] Inside-Out Attacks: The Attacker Is the InsiderNot only does the popular perimeter-based approach to security
provide little risk reduction today, but it is in fact contributing
to an increased attack surface that criminals are using to launch
potentially devastating attacks. The impact of the attacks
illustrated in this chapter can be extremely devastating to
businesses that approach security with a perimeter mindset where the
insiders are generally trusted with information that is confidential
and critical to the organization.

[Chapter 3] The Way It Works: There Is No PatchThe protocols that support network communication, which are
relied upon for the Internet to work, were not specifically designed
with security in mind. In this chapter, we study why these protocols
are weak and how attackers have and will continue to exploit
them.

[Chapter 4] Blended Threats: When Applications Exploit Each OtherThe amount of software installed on a modern computer system
is staggering. With so many different software packages on a single
machine, the complexity of managing the interactions between these
software packages becomes increasingly complex. Complexity is the
friend of the next-generation hacker. This chapter exposes the
techniques used to pit software against software. We present the
various blended threats and blended attacks so that you can gain
some insight as to how these attacks are executed and the thought
process behind blended exploitation.

[Chapter 5] Cloud Insecurity: Sharing the Cloud with Your EnemyCloud computing is seen as the next generation of computing.
The benefits, cost savings, and business justifications for moving
to a cloud-based environment are compelling. This chapter
illustrates how next-generation hackers are positioning themselves
to take advantage of and abuse cloud platforms, and includes
tangible examples of vulnerabilities we have discovered in today's
popular cloud platforms.

[Chapter 6] Abusing Mobile Devices: Targeting Your Mobile WorkforceToday's workforce is a mobile army, traveling to the customer
and making business happen. The explosion of laptops, wireless
networks, and powerful cell phones, coupled with the need to "get
things done," creates a perfect storm for the next-generation
attacker. This chapter walks through some scenarios showing how the
mobile workforce can be a prime target of attacks.

[Chapter 7] Infiltrating the Phishing Underground: Learning from Online Criminals?Phishers are a unique bunch. They are a nuisance to businesses
and legal authorities and can cause a significant amount of damage
to a person's financial reputation. In this chapter, we infiltrate
and uncover this ecosystem so that we can shed some light on and
advance our quest toward understanding this popular subset of the
new generation of criminals.

[Chapter 8] Influencing Your Victims: Do What We Tell You, PleaseThe new generation of attackers doesn't want to target only
networks, operating systems, and applications. These attackers also
want to target the people who have access to the data they want to
get a hold of. It is sometimes easier for an attacker to get what
she wants by influencing and manipulating a human being than it is
to invest a lot of time finding and exploiting a technical
vulnerability. In this chapter, we look at the crafty techniques
attackers employ to discover information about people to influence
them.

[Chapter 9] Hacking Executives: Can Your CEO Spot a Targeted Attack?When attackers begin to focus their attacks on specific
corporate individuals, executives often become the prime target.
These are the "C Team" members of the company—for instance, chief
executive officers, chief financial officers, and chief operating
officers. Not only are these executives in higher income brackets
than other potential targets, but also the value of the information
on their laptops can rival the value of information in the
corporation's databases. This chapter walks through scenarios an
attacker may use to target executives of large corporations.

[Chapter 10] Case Studies: Different PerspectivesThis chapter presents two scenarios on how a determined hacker
can cross-pollinate
vulnerabilities from different processes, systems, and applications
to compromise businesses and steal confidential data.

July 15, 2008

During the next few months, I will be presenting a brand-new talk titled "Suddenly Psychic: Knowing Everything About Everyone" at various conferences around the world. I will be presenting it with Akshay Aggarwal, a good friend of mine. Akshay and I have enjoyed researching the business, security, criminal, social, and psychological implications of this topic, and we look forward to sharing our research with you.

ABSTRACT:Imagine a world where you can remotely influence other people's behavior. This talk will expose how information about people in the physical world, coupled with voluntary information from new communication paradigms such as social networking applications, can enable you to remotely read people's minds to influence their behavior.

Topics of discussion will include:

Techniques on how individuals may be remotely influenced by focused marketing and messaging tactics, and how criminal groups and governments may abuse this capability.

Reconnaissance and pillage of confidential information, including intellectual properties owned by businesses.

Falsified profiles used to construct undeserved reputation as well as the risk of reputation tarnish.

Remote behavior analysis that can be used to construct personality profiles to predict current and future psychological states of targeted individuals, including discussions on how emotional and subconscious states can be discovered even before the target is consciously aware. This topic will be extended to demonstrate the possibility of criminal abuse and the enablement of economic drivers.

Decreasing the value of social networks through data poisoning attacks.

The goal of this presentation is to raise consciousness on how the new paradigms of social communication bring with it real risks as well as marketing and economic advantages. Perspectives on negative and positive uses will be presented in addition to academic discussions and thoughts on how to enable the upcoming online social age.

July 01, 2007

I just got myself an iPhone and I'm extremely pleased with it. I think it's the best cell phone on the market - a sheer pleasure to use.

The purpose of this post is to alert new iPhone customers about a security vulnerability in AT&T/Cingular's Voicemail system that has not been fixed for more than a year. I first wrote about this on February 1, 2006: Exploit Cingular Voicemail Vulnerability via Caller ID Spoofing. As soon as I got my new AT&T/Cingular number, I tested for this vulnerability and I can confirm that it still exists for new AT&T/Cingular accounts (atleast for iPhone customers). I can't force AT&T / Cingular to fix this issue, but I can tell you about it so you know what to do to protect yourself from this vulnerability.

Here is an explanation of the vulnerability in a nutshell: The AT&T/Cingular voicemail system is configured by default not to ask for a password when you check your voicemail from the handset (it asks for your voicemail password if you call your number from another cell phone and press * when your voicemail answers). Unfortunately, the AT&T/Cingular voicemail system trusts Caller ID to determine if the handset is calling it. Because Caller ID can be spoofed easily (see below), anyone can gain access into your voicemail by calling you and spoofing your phone number (it will appear as if you are calling yourself when your phone rings) - should you not answer the call, your voicemail will answer and allow the intruder full access to your messages.

Here is how to test the vulnerability:

Buy a calling card from Spoofcard. This service lets you spoof your caller ID.

Use another phone and call your cell phone using Spoofcard. When the Spoofcard asks you what number you want to spoof, enter your number again.

Do not pickup your cell phone. When the call goes into voicemail, if you are able to listen to your messages without being prompted for a password, then you are vulnerable.

Here is how to protect yourself from this vulnerability:

Call your AT&T/Cingular voicemail (dial your own number from the iPhone).

Press 4 to go to "Personal Options".

Press 2 to go to "Administrative Options".

Press 1 to go to "Password".

Press 2 to turn your password "ON".

Hang-up and call your voicemail again from your iPhone. If your voicemail system asks you for your voicemail password you are all set.

I sincerely hope that AT&T/Cingular gets around to fixing this huge security hole in their voicemail system.